Recipe 8.5 Relaying Based on the CA

Previous page
Table of content
Next page

Problem

You have been asked to configure sendmail to grant relaying privileges to STARTTLS clients that present a certificate signed by a trusted certificate authority.

Solution

Make sure that OpenSSL is installed as described in Introduction and that sendmail is compiled with STARTTLS support as shown in Recipe 1.6 and Recipe 1.7.

Identify each trusted certificate authority in the access database using CERTISSUER : entries. The key field of each entry begins with the CERTISSUER : tag followed by the distinguished name of the CA. The return value of the entry is the keyword RELAY , indicating that any host presenting a certificate signed by the trusted CA is granted relaying privileges.

Create a STARTTLS sendmail configuration and add the access_db feature. Here are samples of the defines that configure STARTTLS and the FEATURE macro that enables the access database: 

 dnl Point to the CA certificate directory define(`confCACERT_PATH', `/etc/mail/certs') dnl Point to the root CA's certificate define(`confCACERT', `/etc/mail/certs/cacert.pem') dnl Point to the certificate used for inbound connections define(`confSERVER_CERT', `/etc/mail/certs/cert.pem') dnl Point to the private key used for inbound connections define(`confSERVER_KEY', `/etc/mail/certs/key.pem') dnl Point to the certificate used for outbound connections define(`confCLIENT_CERT', `/etc/mail/certs/cert.pem') dnl Point to the private key used for outbound connections define(`confCLIENT_KEY', `/etc/mail/certs/key.pem') dnl Enable the access database FEATURE(`access_db')

Rebuild the sendmail.cf file, copy the new sendmail.cf file to /etc/mail , and restart sendmail. Recipe 1.8 provides an example of these steps.

Discussion

TLS can provide strong authentication of the end points and encryption of the data stream. Despite these important security features, establishing a STARTTLS connection is not, by itself, enough to grant relaying privileges. A test shows this: 

 #  sendmail -Am -v -t   To: craig@crab.wrotethebook.com   From: craig@rodent.wrotethebook.com   Subject: Attempt to relay after successful TLS connection   Ctrl-D  craig@crab.wrotethebook.com... Connecting to chef.wrotethebook.com. via relay... 220 chef.wrotethebook.com ESMTP Sendmail 8.12.9/8.12.9; Fri, 22 Aug 2003 12:01:37 - 0400 >>> EHLO rodent.wrotethebook.com 250-chef.wrotethebook.com Hello rodent.wrotethebook.com [192.168.0.3], pleased to  meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-EXPN 250-VERB 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH DIGEST-MD5 CRAM-MD5 250-STARTTLS 250-DELIVERBY 250 HELP >>> STARTTLS 220 2.0.0 Ready to start TLS >>> EHLO rodent.wrotethebook.com 250-chef.wrotethebook.com Hello rodent.wrotethebook.com [192.168.0.3], pleased to  meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-EXPN 250-VERB 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH EXTERNAL DIGEST-MD5 CRAM-MD5 250-DELIVERBY 250 HELP >>> MAIL From:<craig@rodent.wrotethebook.com> SIZE=102 AUTH=craig@rodent. wrotethebook.com 250 2.1.0 <craig@rodent.wrotethebook.com>... Sender ok >>> RCPT To:<craig@crab.wrotethebook.com> >>> DATA 550 5.7.1 <craig@crab.wrotethebook.com>... Relaying denied 503 5.0.0 Need RCPT (recipient) >>> RSET 250 2.0.0 Reset state craig... Connecting to local... craig... Sent Closing connection to chef.wrotethebook.com. >>> QUIT 221 2.0.0 chef.wrotethebook.com closing connection

In response to the first EHLO command, the server advertises STARTTLS . The client then issues a STARTTLS command, and the server responds that it is ready. This indicates that an encrypted session will start. The second EHLO command is the first SMTP command in the encrypted session. It is followed by a MAIL From : and a RCPT To : command. Notice the response to the RCPT To : command. [3] The message is rejected with a "Relaying denied" error, even though it comes in the midst of an encrypted session. Clearly, TLS does not, by itself, authorize relaying. It is up to the sendmail administrator to decide when and how TLS authentication data should be used. One way to use TLS data is through the access database.

[3] Because of PIPELINING, which the EHLO response shows is offered on this system, some SMTP commands are sent together to save on TCP roundtrip times. For this reason, the response to the RCPT To : command follows the DATA command in this example.

The ${verify} and ${cert_issuer} macros are used in the Local_Relay_Auth ruleset to authorize relaying. ${verify} contains OK when sendmail is able to verify the CA signature on the certificate received from a remote site. sendmail takes the distinguished name of the CA that signed the certificate from the Issuer field of the certificate and stores it in the macro ${cert_issuer} . If ${verify} equals OK , sendmail searches the access database for a CERTISSUER : entry that matches the ${cert_issuer} value. If a match is found, the action specified by the CERTISSUER : entry is taken. If no match is found, processing continues normally. Here is an example of adding a CERTISSUER : entry to the access database: 

 #  cd /etc/mail  #  cat >> access CERTISSUER:/C=US/ST=Maryland/L=Gaithersburg/O=WroteTheBook/CN=chef.wrotethebook.com/ Email=craig@chef.wrotethebook.com    RELAY   Ctrl-D  #  makemap hash access < access

Given the access database entry just shown, a site that presents a certificate signed by /C=US/ST=Maryland/L=Gaithersburg/O=WroteTheBook/CN=chef.wrotethebook.com/Email=craig@chef.wrotethebook.com is granted relaying privileges. /C=US/ST=Maryland/L=Gaithersburg/O=WroteTheBook/CN=chef.wrotethebook.com/Email= craig@chef.wrotethebook.com is the complete DN of the private CA created in Recipe 8.1. Therefore, any host with a certificate signed by our private CA is allowed to relay mail.

A DN can contain almost any character. Several characters , however, have special meaning to sendmail and others are difficult to enter into the access database. For these reasons, the DN stored in the access database uses a special format for storing nonprintable characters, the space, the tab, <, >, (, ), ", and +. These characters are stored as their hexadecimal values preceded by a plus. For example, a space becomes +20, a ( becomes +25.

After adding the CERTISSUER : entry to the access database, rerun the test shown earlier in this section. The RCPT To : command now produces the following result: 

 >>> RCPT To:<craig@crab.wrotethebook.com> 250 2.1.5 <craig@crab.wrotethebook.com>... Recipient ok

The client is now granted relaying privileges because a CA that is trusted to authorize relaying signed the client's certificate.

See Also

Recipe 8.4 covers the STARTTLS sendmail configuration used as the basis for this recipe. The private CA mentioned in the discussion of this recipe is covered in Recipe 8.1. Chapter 3 discusses the traditional techniques used to grant relaying privileges, including the access database. The content of a certificate, including the Issuer field, is covered in this chapter's Introduction. The sendmail book discusses using the access database for STARTTLS in Section 10.10.8.


Previous page
Table of content
Next page
Sendmail Cookbook
sendmail Cookbook
ISBN: 0596004710
EAN: 2147483647
Year: 2005
Pages: 178
Authors: Craig Hunt
BUY ON AMAZON
Interprocess Communications in Linux: The Nooks and Crannies
OpenSSH: A Survival Guide for Secure Shell Handling (Version 1.0)
Metrics and Models in Software Quality Engineering (2nd Edition)
Managing Enterprise Systems with the Windows Script Host
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
InDesign Type: Professional Typography with Adobe InDesign CS2
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy